As we were going through our masters' puppet.conf the other day we noticed the **hostprivkey** and **hostcert** settings set in the [master] section. This is some pretty old configuration that we 've been very slowly (very!!!) updating since the same puppetmaster configuration is being used across more than one environments and departments (each hosting their own puppetmasters - we value code reuse - maybe a bit too much). So, it turns out we have these settings set since the puppet 0.24.x something days.
As we were reevaluating them, we realized that by mistake we had them set to non existing files for about a year now with absolutely no ill effect. After some code reading[1], we think that **hostprivkey** is utterly unused. Setting it either in [master], [agent] or [main] has absolutely no effect. **hostcert** seems to be used in 2 places. One is during puppet cert generate [2] and the other is when creating the http connection to the master [3] (note how ssl_certificates_are_present? is used in setup_connection() in line 120. Setting it in [main] or [agent] to /dev/null in an already functioning agent has no effect. Setting it to a non existing file causes the agent to croak with SSL errors (at least that's expected). Setting it to anything in [master] on a master does nothing.
All other references to those 2 settings seem to have been removed in https://github.com/puppetlabs/puppet/commit/3a8b376b11a02643fee8cef15714914c21f08163, which was first released in 2.7.6 (yup.. that old).
So... finally the question: Has anyone messed with these settings and has some more info that would help clarify this a bit more and whether we should file a task upstream ?
[1] https://github.com/puppetlabs/puppet/search?utf8=%E2%9C%93&q=hostprivkey&type=
[2] https://github.com/puppetlabs/puppet/blob/master/lib/puppet/face/certificate.rb#L80
[3] https://github.com/puppetlabs/puppet/blob/master/lib/puppet/ssl/validator/default_validator.rb#L171
↧